[英]Possible to login without the digits in the password
I just discovered that my password-protected area is not that protected. 我刚刚发现我的密码保护区域没有受到保护。 Passwords are required to use digits.
需要密码才能使用数字。 Now, if the password has the digits at the end, somehow the login is accepted as long as the az part of the password is correct.
现在,如果密码末尾有数字,只要密码的az部分正确,就可以接受登录。 Why is that and how can I correct that?
为什么会这样,我该如何纠正呢? (PHP 5.4.28)
(PHP 5.4.28)
function generate_hash($password)
{
$salt = openssl_random_pseudo_bytes(22);
$salt = '$2a$%13$' . strtr($salt, array('_' => '.', '~' => '/'));
return crypt($password, $salt);
}
$bind = array(":email" => $email, ":password" => crypt($password, generate_hash($password) ) );
$results = $db->select("users", 'email=:email AND password=:password', $bind);
I don't know about the specifics of your problem, but you're using the hash completely wrong. 我不知道您的问题的具体情况,但是您使用的哈希完全错误。 To use
crypt
, you do the following: 要使用
crypt
,请执行以下操作:
On registration: 注册时:
$salt
argument in a proper format: $2a$xx$...
(note: no %
, that may contribute to the problem) $salt
参数: $2a$xx$...
(注意:否%
,这可能会导致问题) crypt($password, $salt)
crypt($password, $salt)
散列密码 On login: 登录时:
crypt($enteredPassword, $databaseHash)
crypt($enteredPassword, $databaseHash)
生成哈希 You're not doing that at all. 你根本不这样做。 You should probably also use
password_hash
instead, which takes care of a lot of pitfalls in the usage of the raw crypt
API. 您可能还应该改用
password_hash
,它可以避免使用原始crypt
API时遇到的许多陷阱。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.